How to password protect a website folder using .htaccess
To add password protection to your website you need to create a file to store usernames/passwords and add some code into a .htaccess file. This guide will show customers using LCN web hosting and WordPress hosting how to get password protection working in no time.
Let’s get started…
Creating the password file
The password file is a simple text file that contains a username and password separated by a colon (:). However, for security purposes the password must be encrypted. There’re lots of free tools that will encrypt the password for you, but you can use our tool below. Simply enter the username and password you want to use and we’ll generate a string of text that you can copy and paste.
- Create a file using a text editor such as Notepad or TextEdit.
- Save the file as: .htpasswd
- Copy and paste the username/password string generated using our tool into the document.
- Upload the .htpasswd file to your website using FTP.
Please note: Instructions on uploading the file to your website can be found here.
For extra security make sure that it is outside of your web folder so that it can never be accessed by someone going to http://www.domain.com/.htpasswd. Our hosting servers will block web access to any files beginning with .ht, but it’s recommended that the password file is not in a publicly accessible folder.
Creating the .htaccess file
Once you’ve created and uploaded your .htpasswd file you’ll need to create a .htaccess file to tell the web server what folder you want to protect and what username/password file to use.
- Create a file using a text editor such as Notepad or TextEdit.
- Save the file as: .htaccess (without any additional file extension).
- Enter the following lines of text within the file:
AuthType Basic
AuthName "My Protected Folder"
AuthUserFile ../../.htpasswd
require valid-user
Let’s go through the parameters you’ve just set:
Line 1:
AuthType Basic
Defines the type of authentication the web server will use, ‘Basic’ is perfectly adequate for what we need.
Line 2:
AuthName "My Protected Folder"
Sets the title of the username/password box that will popup when someone tries to view your protected page.
Line 3:
AuthUserFile ../../.htpasswd
Tells the web server where to find the username/password file. You will need to update ../../.htpasswd with a relative path to the location of your .htpasswd file.
The ../../.htpasswd path indicates the file is located two folders above the current directory, to point to a file within the same directory for example, you could use: ./.htpasswd
Line 4:
require valid-user
Tells the web server who in your .htpasswd file can access your folder, by using valid-user everyone in the file can view the folder.
Where to upload your .htaccess file
The .htaccess file above will protect all the files in the folder it is uploaded into, and the sub-folders under it. For example, if you wanted to protect your entire website you could place the .htaccess file in your web folder.
That’s it! You’ve successfully password protected your website.